Off-line analysis II

Zeek
1

If so, you mean that first real traffic result and second trace result have
just different log file name?
In the case of real time, "attack"."server name".date info
In the case of off-line, "attack".log
???

active_log
-rw-r--r-- 1 root root 0 2004-12-11 01:05 alarm.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 0 2004-12-11 01:05 conn.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 0 2004-12-11 01:05 ftp.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 0 2004-12-11 01:05 http.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 787 2004-12-11 01:05 info.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 0 2004-12-11 01:05
notice.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 0 2004-12-11 01:05
signatures.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 0 2004-12-11 01:05 smtp.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 0 2004-12-11 01:05
software.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 12288 2004-12-11 01:05 weird.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 0 2004-12-11 01:05 worm.cist.04-12-11_01.05.10

-rw-r--r-- 1 root root 5478 2004-12-10 14:04 alarm.log
-rw-r--r-- 1 root root 3828 2004-12-10 14:04 backdoor.log
-rw-r--r-- 1 root root 4430446 2004-12-10 14:04 conn.log
-rw-r--r-- 1 root root 992902 2004-12-10 14:04 dns.log
-rw-r--r-- 1 root root 122129 2004-12-10 14:04 ftp.log
-rw-r--r-- 1 root root 12178262 2004-12-10 14:04 http.log
-rw-r--r-- 1 root root 124416 2004-12-10 14:04 icmp.log
-rw-r--r-- 1 root root 5376365 2004-12-10 14:04 mime.log
-rw-r--r-- 1 root root 9499 2004-12-10 14:04 notice.log
-rw-r--r-- 1 root root 561990 2004-12-10 14:04 relay.log
-rw-r--r-- 1 root root 0 2004-12-10 14:02 signatures.log
-rw-r--r-- 1 root root 1681584 2004-12-10 14:04 smtp.log
-rw-r--r-- 1 root root 0 2004-12-10 14:02 software.log
-rw-r--r-- 1 root root 5899 2004-12-10 14:04 ssh.log
-rw-r--r-- 1 root root 0 2004-12-10 14:02 step.log
-rw-r--r-- 1 root root 2505550 2004-12-10 14:04 weird.log
-rw-r--r-- 1 root root 0 2004-12-10 14:02 worm.log
drwxr-xr-x 2 root root 4096 2004-12-10 14:03 xscript.log

Hi,

> Dear Great Researchers,
>
> When I tried to do Bro Offline test, I just got many ***.log files

about

> dos dump, normal dump, and so on.
> However, when I tried to do that in real time mode, I could have

various

> alert about real time packets.
>
> Could you let me know how I can obtain more realistic Bro alert result

in

2

The logs in question are just being named differently by the differing mechanisms that are running bro. When bro runs, it checks for an environmental variable called BRO_LOG_SUFFIX which it appends to the end of the file name. When you manually run bro, typically this is not defined and you get ex:

alarm.log

When you start bro via the bro.rc script, the value is defined and you get a file name of :

alarm.cist.04-12-11_01.05.10

This was put in place to prevent file name collisions on long running boxes.

What bro puts into the files is the same in both cases.

Is this helpful?

scott

shonx001 wrote: